The United States privacy landscape continues to evolve rapidly. With no comprehensive federal privacy law in place, states have taken the lead in protecting consumer data rights. As of 2026, over a dozen states have enacted comprehensive privacy legislation, with more laws taking effect throughout the year.
This guide provides an overview of all active US state privacy laws and practical compliance strategies.
The Current State Privacy Landscape
Unlike the European Union with GDPR, the US lacks a single federal privacy law covering all consumer data. Instead, a patchwork of state laws has emerged, each with unique requirements, thresholds, and consumer rights.
States with Active Privacy Laws (2026)
| State | Law | Effective Date | Status |
|---|---|---|---|
| California | CCPA/CPRA | Jan 2020 / Jan 2023 | Active |
| Virginia | VCDPA | Jan 2023 | Active |
| Colorado | CPA | Jul 2023 | Active |
| Connecticut | CTDPA | Jul 2023 | Active |
| Utah | UCPA | Dec 2023 | Active |
| Iowa | ICDPA | Jan 2025 | Active |
| Indiana | INCDPA | Jan 2026 | Active |
| Tennessee | TIPA | Jul 2025 | Active |
| Texas | TDPSA | Jul 2024 | Active |
| Oregon | OCPA | Jul 2024 | Active |
| Montana | MCDPA | Oct 2024 | Active |
| Delaware | DPDPA | Jan 2025 | Active |
| New Hampshire | NHDPA | Jan 2025 | Active |
| New Jersey | NJDPA | Jan 2025 | Active |
| Maryland | MODPA | Oct 2025 | Active |
| Minnesota | MCDPA | Jul 2025 | Active |
| Nebraska | NDPA | Jan 2025 | Active |
| Rhode Island | RIDPA | Jan 2026 | Active |
| Kentucky | KCDPA | Jan 2026 | Active |
Key State Laws Explained
California (CCPA/CPRA)
California pioneered US state privacy law with CCPA in 2020, enhanced by CPRA in 2023.
Applicability Thresholds:
- Annual gross revenue over $25 million, OR
- Buys, sells, or shares data of 100,000+ consumers/households, OR
- 50%+ of revenue from selling/sharing personal information
Key Consumer Rights:
- Right to know what data is collected
- Right to delete personal information
- Right to opt-out of sale/sharing
- Right to correct inaccurate information
- Right to limit use of sensitive data
- Right to non-discrimination
Unique Requirements:
- California Privacy Protection Agency (CPPA) enforcement
- Risk assessments for high-risk processing
- Cybersecurity audits for certain businesses
- Automated decision-making transparency
Penalties:
- $2,500 per unintentional violation
- $7,500 per intentional violation
- Private right of action for data breaches
Virginia (VCDPA)
Virginia was the second state to enact comprehensive privacy legislation.
Applicability Thresholds:
- Controls/processes data of 100,000+ consumers, OR
- Controls/processes data of 25,000+ consumers AND derives 50%+ revenue from selling data
Key Features:
- Opt-out model for targeted advertising and sales
- Data protection assessments required
- No private right of action
- Attorney General enforcement only
- 30-day cure period
Consumer Rights:
- Access, correction, deletion, portability
- Opt-out of targeted advertising, sales, profiling
Colorado (CPA)
Colorado’s law includes universal opt-out mechanism requirements.
Applicability Thresholds:
- Controls/processes data of 100,000+ consumers, OR
- Controls/processes data of 25,000+ consumers AND derives revenue from selling data
Unique Features:
- Must recognize universal opt-out mechanisms (like GPC)
- Data protection assessments required
- Mandatory privacy notice requirements
- No revenue threshold
Texas (TDPSA)
Texas joined the privacy law landscape with broad applicability.
Applicability Thresholds:
- Conducts business in Texas or produces products/services consumed by Texas residents
- Processes or sells personal data
- NOT a small business as defined by SBA
Key Features:
- Broad definition of “sale” including monetary and other consideration
- 30-day cure period
- No private right of action
- Must process opt-out requests within 15 days
Oregon (OCPA)
Oregon’s law has unique provisions for nonprofit organizations.
Applicability Thresholds:
- Controls/processes data of 100,000+ consumers, OR
- Controls/processes data of 25,000+ consumers AND derives 25%+ revenue from selling data
Unique Features:
- Applies to nonprofits (unlike most state laws)
- Expanded definition of sensitive data includes transgender status
- Must recognize universal opt-out signals
- 30-day cure period (expires Jan 2026)
Common Requirements Across State Laws
Despite variations, most state privacy laws share common elements:
Consumer Rights (Universal)
- Right to Access - Know what personal data is collected
- Right to Delete - Request deletion of personal data
- Right to Correct - Fix inaccurate information
- Right to Portability - Receive data in usable format
- Right to Opt-Out - Decline sale/targeted advertising
Business Obligations
- Privacy Notice - Clear disclosure of data practices
- Data Processing Agreements - Contracts with processors
- Security Measures - Reasonable data protection
- Consumer Request Handling - Process requests within timeframes
- Non-Discrimination - Cannot penalize consumers for exercising rights
Opt-Out Requirements
Most laws require opt-out mechanisms for:
- Sale of personal data
- Targeted advertising
- Certain profiling activities
Consent Models Compared
US state laws primarily use opt-out models, contrasting with GDPR’s opt-in approach.
Opt-Out Model (Most US States)
Default: Data collection and processing ALLOWED
User Action: Must opt-out to stop processing
Consent Banner: "Do Not Sell My Personal Information" linkOpt-In for Sensitive Data
All state laws require opt-in consent for sensitive data:
- Racial or ethnic origin
- Religious beliefs
- Health information
- Sexual orientation
- Genetic/biometric data
- Precise geolocation
- Children’s data
Implementation Example
// Kurabiye handles US state compliance automatically
kurabiye.init({
region: 'auto-detect',
compliance: {
ccpa: {
enabled: true,
dnsLink: true, // "Do Not Sell" link
gpcSupport: true, // Global Privacy Control
},
statePrivacy: {
enabled: true,
autoDetect: true, // Detect user's state
},
},
});Global Privacy Control (GPC)
Several states now require businesses to honor Global Privacy Control signals.
States Requiring GPC Recognition
- California (CPRA)
- Colorado (CPA)
- Connecticut (CTDPA)
- Montana (MCDPA)
- Oregon (OCPA)
- Texas (TDPSA)
Implementing GPC
// Check for GPC signal
if (navigator.globalPrivacyControl === true) {
// User has opted out via browser setting
// Must treat as valid opt-out request
processOptOut();
}
// Kurabiye handles GPC automatically
kurabiye.init({
gpc: {
enabled: true,
treatAsOptOut: true,
},
});Data Protection Assessments
Many state laws require risk assessments for certain processing activities:
Activities Requiring Assessment
- Targeted advertising
- Sale of personal data
- Profiling with legal/significant effects
- Processing sensitive data
- Processing children’s data
Assessment Requirements
- Processing Description - What data, why, how
- Risk Identification - Potential harms to consumers
- Benefit Analysis - Business justification
- Mitigation Measures - How risks are addressed
- Documentation - Records for regulatory review
Compliance Strategy for Multi-State Operations
Approach 1: Highest Standard (Recommended)
Apply the most restrictive requirements to all US users:
Benefits:
- Simplified compliance
- Future-proof against new laws
- Consistent user experience
Implementation:
- Honor all opt-out requests regardless of state
- Recognize GPC universally
- Provide all consumer rights to everyone
- Conduct data protection assessments for all high-risk processing
Approach 2: Geographic Segmentation
Apply state-specific requirements based on user location:
Challenges:
- Accurate geolocation required
- Complex logic and maintenance
- Risk of misidentification
When Appropriate:
- Significant operational differences between markets
- State-specific features or services
- Legal requirement for differentiation
Approach 3: Tiered Compliance
Group states by similar requirements:
| Tier | States | Key Requirements |
|---|---|---|
| Tier 1 | California | Full CPRA compliance |
| Tier 2 | CO, CT, OR, MT | GPC + Universal opt-out |
| Tier 3 | VA, UT, TX, others | Standard opt-out |
Practical Implementation Checklist
Privacy Notice Updates
- List all categories of personal data collected
- Disclose sale/sharing of data
- Explain consumer rights per applicable state
- Provide opt-out instructions
- Include contact information
- Update for each new state law
Technical Implementation
- Implement “Do Not Sell” mechanism
- Honor Global Privacy Control signals
- Process opt-out requests within required timeframes
- Maintain consent/opt-out records
- Implement data subject request handling
- Set up geolocation for state detection
Vendor Management
- Review all data processing agreements
- Ensure vendors can comply with deletion requests
- Verify vendor security practices
- Update contracts for new state requirements
- Maintain vendor inventory
Documentation
- Conduct and document data protection assessments
- Maintain records of consumer requests
- Document opt-out processing
- Keep privacy notice version history
- Track compliance activities
Upcoming Changes to Watch
Potential 2026-2027 Legislation
Several states have privacy bills in progress:
- New York (NY Privacy Act)
- Pennsylvania
- Massachusetts
- North Carolina
- Washington (updated WDPA)
Federal Privacy Law Prospects
A comprehensive federal law could:
- Preempt state laws
- Create uniform national standard
- Simplify multi-state compliance
- Potentially weaken current protections
Monitor developments and plan for flexibility.
FAQ
Do I need to comply with all state privacy laws?
You need to comply with laws in states where you do business or have consumers. If you meet any state’s thresholds, you must comply with that state’s law.
What if I am below all applicability thresholds?
If you do not meet any state’s thresholds, you are not legally required to comply. However, following privacy best practices builds consumer trust.
How do I determine which state law applies to a user?
Use IP geolocation to determine user location. When uncertain, apply the most protective standard or give users the choice.
Must I recognize Global Privacy Control?
If you operate in California, Colorado, Connecticut, Montana, Oregon, or Texas, you must recognize GPC signals as valid opt-out requests.
What are the penalties for non-compliance?
Penalties vary by state, ranging from $2,500 to $20,000 per violation. Most states allow cure periods before penalties apply.
Can consumers sue me under these laws?
Most state laws only allow attorney general enforcement. California allows private lawsuits for data breaches. Check each law’s specific provisions.
How do I handle data subject requests?
Establish processes to verify identity, respond within required timeframes (typically 45 days), and fulfill requests for access, deletion, correction, and opt-out.
Do these laws apply to B2B data?
Most state laws include exemptions for employee and B2B data. California is notable for including these categories under CPRA.
How often should I review compliance?
Review quarterly as new laws take effect and existing laws are amended. Major reviews should occur when entering new states or launching new data practices.
What is the best approach for a small business?
Start with California compliance (CCPA/CPRA) as the highest standard. Use consent management tools that automatically adapt to user location.
